protected void initKeyProvider() { if (!doSupportSignature()) { return; } SPType configuration = getConfiguration(); KeyProviderType keyProvider = configuration.getKeyProvider(); if (keyProvider == null && doSupportSignature()) { throw new RuntimeException( ErrorCodes.NULL_VALUE + "KeyProvider is null for context=" + getContextPath()); } try { String keyManagerClassName = keyProvider.getClassName(); if (keyManagerClassName == null) { throw new RuntimeException(ErrorCodes.NULL_VALUE + "KeyManager class name"); } Class<?> clazz = SecurityActions.loadClass(getClass(), keyManagerClassName); if (clazz == null) { throw new ClassNotFoundException(ErrorCodes.CLASS_NOT_LOADED + keyManagerClassName); } TrustKeyManager keyManager = (TrustKeyManager) clazz.newInstance(); List<AuthPropertyType> authProperties = CoreConfigUtil.getKeyProviderProperties(keyProvider); keyManager.setAuthProperties(authProperties); keyManager.setValidatingAlias(keyProvider.getValidatingAlias()); String identityURL = configuration.getIdentityURL(); // Special case when you need X509Data in SignedInfo if (authProperties != null) { for (AuthPropertyType authPropertyType : authProperties) { String key = authPropertyType.getKey(); if (GeneralConstants.X509CERTIFICATE.equals(key)) { // we need X509Certificate in SignedInfo. The value is the alias name keyManager.addAdditionalOption( GeneralConstants.X509CERTIFICATE, authPropertyType.getValue()); break; } } } keyManager.addAdditionalOption( ServiceProviderBaseProcessor.IDP_KEY, new URL(identityURL).getHost()); this.keyManager = keyManager; } catch (Exception e) { logger.trustKeyManagerCreationError(e); throw new RuntimeException(e.getLocalizedMessage()); } logger.trace("Key Provider=" + keyProvider.getClassName()); }
protected void processConfiguration(FilterConfig filterConfig) { InputStream is; if (isNullOrEmpty(this.configFile)) { is = servletContext.getResourceAsStream(CONFIG_FILE_LOCATION); } else { try { is = new FileInputStream(this.configFile); } catch (FileNotFoundException e) { throw logger.samlIDPConfigurationError(e); } } PicketLinkType picketLinkType; String configurationProviderName = filterConfig.getInitParameter(CONFIGURATION_PROVIDER); if (configurationProviderName != null) { try { Class<?> clazz = SecurityActions.loadClass(getClass(), configurationProviderName); if (clazz == null) { throw new ClassNotFoundException(ErrorCodes.CLASS_NOT_LOADED + configurationProviderName); } this.configProvider = (SAMLConfigurationProvider) clazz.newInstance(); } catch (Exception e) { throw new RuntimeException( "Could not create configuration provider [" + configurationProviderName + "].", e); } } try { // Work on the IDP Configuration if (configProvider != null) { try { if (is == null) { // Try the older version is = servletContext.getResourceAsStream( GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION); // Additionally parse the deprecated config file if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) { ((AbstractSAMLConfigurationProvider) configProvider).setConfigFile(is); } } else { // Additionally parse the consolidated config file if (is != null && configProvider instanceof AbstractSAMLConfigurationProvider) { ((AbstractSAMLConfigurationProvider) configProvider).setConsolidatedConfigFile(is); } } picketLinkType = configProvider.getPicketLinkConfiguration(); picketLinkType.setIdpOrSP(configProvider.getSPConfiguration()); } catch (ProcessingException e) { throw logger.samlSPConfigurationError(e); } catch (ParsingException e) { throw logger.samlSPConfigurationError(e); } } else { if (is != null) { try { picketLinkType = ConfigurationUtil.getConfiguration(is); } catch (ParsingException e) { logger.trace(e); throw logger.samlSPConfigurationError(e); } } else { is = servletContext.getResourceAsStream(GeneralConstants.DEPRECATED_CONFIG_FILE_LOCATION); if (is == null) { throw logger.configurationFileMissing(configFile); } picketLinkType = new PicketLinkType(); picketLinkType.setIdpOrSP(ConfigurationUtil.getSPConfiguration(is)); } } // Close the InputStream as we no longer need it if (is != null) { try { is.close(); } catch (IOException e) { // ignore } } Boolean enableAudit = picketLinkType.isEnableAudit(); // See if we have the system property enabled if (!enableAudit) { String sysProp = SecurityActions.getSystemProperty(GeneralConstants.AUDIT_ENABLE, "NULL"); if (!"NULL".equals(sysProp)) { enableAudit = Boolean.parseBoolean(sysProp); } } if (enableAudit) { if (auditHelper == null) { String securityDomainName = PicketLinkAuditHelper.getSecurityDomainName(servletContext); auditHelper = new PicketLinkAuditHelper(securityDomainName); } } SPType spConfiguration = (SPType) picketLinkType.getIdpOrSP(); processIdPMetadata(spConfiguration); this.serviceURL = spConfiguration.getServiceURL(); this.canonicalizationMethod = spConfiguration.getCanonicalizationMethod(); this.picketLinkConfiguration = picketLinkType; this.issuerID = filterConfig.getInitParameter(ISSUER_ID); this.characterEncoding = filterConfig.getInitParameter(CHARACTER_ENCODING); this.samlHandlerChainClass = filterConfig.getInitParameter(SAML_HANDLER_CHAIN_CLASS); logger.samlSPSettingCanonicalizationMethod(canonicalizationMethod); XMLSignatureUtil.setCanonicalizationMethodType(canonicalizationMethod); try { this.initKeyProvider(); this.initializeHandlerChain(picketLinkType); } catch (Exception e) { throw new RuntimeException(e); } logger.trace("Identity Provider URL=" + getConfiguration().getIdentityURL()); } catch (Exception e) { throw new RuntimeException(e); } }
public void initialize(Map<String, String> properties) { this.properties = properties; // Check for token registry String tokenRegistryOption = this.properties.get(TOKEN_REGISTRY); if (tokenRegistryOption == null) { logger.stsTokenRegistryNotSpecified(); } else { // if a file is to be used as registry, check if the user has specified the file name. if ("FILE".equalsIgnoreCase(tokenRegistryOption)) { String tokenRegistryFile = this.properties.get(TOKEN_REGISTRY_FILE); if (tokenRegistryFile != null) this.tokenRegistry = new FileBasedTokenRegistry(tokenRegistryFile); else this.tokenRegistry = new FileBasedTokenRegistry(); } else if ("JPA".equalsIgnoreCase(tokenRegistryOption)) { String tokenRegistryjpa = this.properties.get(TOKEN_REGISTRY_JPA); if (tokenRegistryjpa != null) this.tokenRegistry = new JPABasedTokenRegistry(tokenRegistryjpa); else this.tokenRegistry = new JPABasedTokenRegistry(); } else if ("JDBC".equalsIgnoreCase(tokenRegistryOption)) { String tokenRegistryjdbc = this.properties.get(TOKEN_REGISTRY_JDBC); if (tokenRegistryjdbc != null) this.tokenRegistry = new JDBCTokenRegistry(tokenRegistryjdbc); else this.tokenRegistry = new JDBCTokenRegistry(); } // the user has specified its own registry implementation class. else { try { Class<?> clazz = SecurityActions.loadClass(getClass(), tokenRegistryOption); if (clazz != null) { Object object = clazz.newInstance(); if (object instanceof SecurityTokenRegistry) this.tokenRegistry = (SecurityTokenRegistry) object; else { logger.stsTokenRegistryInvalidType(tokenRegistryOption); } } } catch (Exception pae) { logger.stsTokenRegistryInstantiationError(); pae.printStackTrace(); } } } if (this.tokenRegistry == null) tokenRegistry = new DefaultTokenRegistry(); // check if a revocation registry option has been set. String registryOption = this.properties.get(REVOCATION_REGISTRY); if (registryOption == null) { logger.stsRevocationRegistryNotSpecified(); } else { // if a file is to be used as registry, check if the user has specified the file name. if ("FILE".equalsIgnoreCase(registryOption)) { String registryFile = this.properties.get(REVOCATION_REGISTRY_FILE); if (registryFile != null) this.revocationRegistry = new FileBasedRevocationRegistry(registryFile); else this.revocationRegistry = new FileBasedRevocationRegistry(); } // another option is to use the default JPA registry to store the revoked ids. else if ("JPA".equalsIgnoreCase(registryOption)) { String configuration = this.properties.get(REVOCATION_REGISTRY_JPA_CONFIG); if (configuration != null) this.revocationRegistry = new JPABasedRevocationRegistry(configuration); else this.revocationRegistry = new JPABasedRevocationRegistry(); } else if ("JDBC".equalsIgnoreCase(registryOption)) { String configuration = this.properties.get(REVOCATION_REGISTRY_JDBC_CONFIG); if (configuration != null) this.revocationRegistry = new JDBCRevocationRegistry(configuration); else this.revocationRegistry = new JDBCRevocationRegistry(); } // the user has specified its own registry implementation class. else { try { Class<?> clazz = SecurityActions.loadClass(getClass(), registryOption); if (clazz != null) { Object object = clazz.newInstance(); if (object instanceof RevocationRegistry) this.revocationRegistry = (RevocationRegistry) object; else { logger.stsRevocationRegistryInvalidType(registryOption); } } } catch (Exception pae) { logger.stsRevocationRegistryInstantiationError(); pae.printStackTrace(); } } } if (this.revocationRegistry == null) this.revocationRegistry = new DefaultRevocationRegistry(); }